The FTC has demanded a fine be levied on Facebook that would be a record for any penalty yet imposed on a technology firm, but the social network is alarmed about the proposed settlement agreement's terms and conditions, The Washington Post reports, citing two unnamed people familiar with the government's probe.

The largest fine imposed by the FTC against a technology company to date was $22.5 million against Google. The regulator accused the search giant of having been "misrepresenting the extent to which consumers can exercise control over the collection of their information."

With first-time offenders, the FTC can only negotiate a settlement, which frequently results in a company agreeing to specific information security improvements and regular audits. Organizations that break that agreement can then be hit with penalties or taken to court by the FTC.

Since 2011, Facebook has been bound by an agreement with the FTC stemming from its previous privacy missteps, including sharing users' data without consent.

Cambridge Analytica Probe

The FTC launched a fresh probe in March 2018 over revelations that a controversial data analytics firm, Cambridge Analytica, was able to obtain 87 million Facebook profiles from a Cambridge University lecturer who created a popular personality quiz on the social network (see: Facebook: 87M Accounts May Have Been Sent To Cambridge Analytica).

London-based Cambridge Analytica, which is now defunct, was a political consulting firm that worked for both President Donald Trump's campaign as well as the U.K.'s "Brexit" referendum on its EU membership.

If Facebook fails to reach an agreement with the FTC, the regulator's next move would be to take the case - and its penalty demands - to court. If that happens, the FTC could call on the social network's top executives to testify (see: Facebook's Zuckerberg Takes First Drubbing in D.C.).

"Facebook faces a moment of reckoning, and the only way it will come is through an FTC order with severe penalties and other sanctions that stop this kind of privacy misconduct going forward," said Democratic Sen. Richard Blumenthal, D-Conn., tells the Washington Post.

News of the penalty discussions follows the newspaper reporting last month that the FTC was close to concluding its investigation and looking to levy a record-setting probe. But it was unclear when the probe might conclude, because the FTC was not open because of the government's partial shutdown (see: Report: Federal Trade Commission Weighs Facebook Fine).

Facebook also faces a lawsuit filed by users in Washington federal court last year; they have accused the social network of violating consumer protection law by failing to protect personal data that consumers thought they'd secured using Facebook's confusing privacy controls. The lawsuit cites Cambridge Analytica as just one example of how Facebook allegedly shared users' personal data without their consent.

Sanctions in Europe

Facebook has already faced its first European moment of reckoning. In October 2018, the U.K. Information Commissioner's Office, which enforces the country's privacy laws, slammed Facebook with the maximum privacy penalty possible over the failures that facilitated the Cambridge Analytica debacle. The ICO fined Facebook £500,000 ($645,000), which was the maximum fine possible, because the privacy failings occurred before the EU's General Data Protection Regulation, which sets much higher potential penalties, came into effect (see: Facebook Slammed With Maximum UK Privacy Fine).

In Germany, Facebook faces another assault on its privacy practices in the form of a proposed ruling from the country's antitrust authority.

The Bundeskartellamt, or Federal Cartel Office, says Facebook should not be allowed to require that users either submit to letting the social network collect and process their data however it chooses, or else be blocked from using the service altogether. Instead, the regulator says users should be allowed to choose whether Facebook will be allowed to mix their personal data with data the social network collects from its other services or third-party sources (see: German Antitrust Office Restricts Facebook Data Processing).

"We are carrying out what can be seen as an internal divestiture of Facebook's data," said Andreas Mundt, president of the Bundeskartellamt.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.